HHS Releases Final Rule – Updated HIPAA Privacy And Security Rules

HHS has released the long-awaited final rule updating the privacy and security rules under (HIPAA) The Health Insurance Portability and Accountability Act.

Referred to as the “omnibus” privacy and security rule because of its broad reach, it updates earlier HIPAA rules with more stringent privacy and security measures passed under the (ARRA) American Recovery and Reinvestment Act of 2009 .

In a HHS news release today, HHS Secretary Kathleen Sebelius said, “Much has changed in healthcare since HIPAA was enacted over fifteen years ago.” “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”

The final rule clarifies a number of key areas including when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider’s healthcare data-miners and health information technology service providers.

It also restores a limited right of consent to patients to control the release of their (PHI) protected health information to their insurance company about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

The Director of the Office for Civil Rights (OCR), Mr. Leon Rodriguez, also said in the HHS news release today, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” The HHS Office for Civil Rights serves as the lead privacy and security enforcement agency under HIPAA.

Director Rodriguez continues his remarks in the news release by stating, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates.”